sshd of openssh-3.9_p1 behaves differently if PAM is switched off either during compile time (see "A" below) or via configuration file (see "B" below). Login via S/Key challenge-response authentication succeeds in case A, but fails in case B. Steps to Reproduce (case A): 1. Compile and install sshd with configuration "A" (see below) 2. Install sshd_config (see below) 3. ssh from remote machine Actual Results (case A): $ ssh user@host otp-md5 89 foo1234567 S/Key Password: [... login succeeds, as expected] Steps to Reproduce (case B): 1. Compile and install sshd with configuration "B" 2. Install sshd_config 3. ssh from remote machine Actual Results (case B): [No password prompt appears and login is immediately refused:] $ ssh user@host Permission denied (publickey,keyboard-interactive). $ Expected Results: The behaviour of sshd should be identical in cases A and B (and should be as in case A). Configuration (case A): $ ./configure --prefix=/usr --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --sysconfdir=/etc/ssh --libexecdir=/usr/lib/misc --datadir=/usr/share/openssh --disable-suid-ssh --with-privsep-path=/var/empty --with-privsep-user=sshd --with-md5-passwords --without-kerberos5 --with-tcp-wrappers --with-skey --without-opensc --with-ipv4-default --without-pam Configuration (case B): as in case A, but last option replaced by "--with-pam" /etc/ssh/sshd_config (identical for both cases; contains only 3 lines): Protocol 2 PasswordAuthentication no UsePAM no I have also reported this as Gentoo bug: <http://bugs.gentoo.org/show_bug.cgi?id=65343>
Created attachment 720 [details] Debug output from server log (case B) The last lines of the "sshd -ddd" log show output from sshpam_init_ctx, in spite of UsePAM being switched off.
Created attachment 721 [details] Proposed patch for auth2-chall.c
Comment on attachment 721 [details] Proposed patch for auth2-chall.c Looks OK to me, debug log indicates it's working (but I don't have skey set up).
hm, maybe it would be better to never include "pam" in the list of kbd-int submethods if !use_pam. I.e. build the lists in auth2-kbdint.c using ServerOptions
Could you send a client ("ssh -vvv") trace as well? I think the diff is incorrect: it just avoids the ssh code, but we should be falling back to the next method. The fact that there are PAM lines in the server output shouldn't matter, kbd-int should try other methods. As a workaround, you can try "ssh -oKbdInteractiveDevices=skey" to prefer skey authentication.
Created attachment 723 [details] ssh -vvv output (original sshd) Here is the output from "ssh -vvv" for the unpatched sshd.
Created attachment 724 [details] ssh -vvv output (sshd with patch from attachment 721 [details] applied) And here is the "ssh -vvv" output for the patched sshd.
Concerning comment 4: > hm, maybe it would be better to never include "pam" in the list of > kbd-int submethods if !use_pam. I.e. build the lists in auth2-kbdint.c > using ServerOptions I thought about this, too. However, being not an ssh expert, I was not sure where would be a proper place to call an initialisation routine for the "devices" array. (It is also used for protocol 1 in auth-chall.c.) Concerning comment 5: > I think the diff is incorrect: it just avoids the ssh code, but we > should be falling back to the next method. The fact that there are PAM > lines in the server output shouldn't matter, kbd-int should try other > methods. At least for me it doesn't. > As a workaround, you can try "ssh -oKbdInteractiveDevices=skey" to > prefer skey authentication. That works.
Created attachment 725 [details] remove "pam" from kbdint devices if UsePAM=no I looked at it too and removing the "pam" device is more invasive (in part, because the KbdIntDevice list is statically allocated). See attached. This patch could be simpler if pam is moved to the end of the device list (but that changes the default order for the skey+pam case). It's a good point about SSHv1 support too, it won't work at all when usepam=no, fixed in attached patch.
I have applied your patch. Unfortunately, it does not work correctly: ssh asks for the "S/Key Password:" 6 times instead of 3 times. The reason seems to be that remove_kbdint_device leaves a duplicate entry in the devices array: + for (i = 0; devices[i] != NULL; i++) + if (strcmp(devices[i]->name, devname) == 0) { + devices[i] = devices[i+1]; + i--; + }
Created attachment 726 [details] remove "pam" from kbdint devices if UsePAM=no take 2 Hmm, it would appear I didn't think that all the way through. How about the attached which does: for (i = 0; devices[i] != NULL; i++) if (strcmp(devices[i]->name, devname) == 0) { for (j = i; devices[j] != NULL; j++) devices[j] = devices[j+1]; i--; } It's kind of overkill though, given that the array will have either one or two members...
Tested again. As far as I can see, it works properly for both protocol versions 1 and 2.
Comment on attachment 726 [details] remove "pam" from kbdint devices if UsePAM=no take 2 Any objections to committing this patch?
Thanks, patch #726 committed.
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.